Skip to main content

12.1.10 Checking the Audit Log

12.1.10 Checking the Audit Log
The audit log is collected when the audit function is used in these systems. Use the viewaudit command to refer to the audit log.
Operation Procedure
  1. Execute the viewaudit command on the XSCF shell.
    The following example displays all audit records.
XSCF> viewaudit
file,1,2012-04-26 21:37:25.626
header,20,1,audit - start,,2012-04-26 21:37:25.660 +00:00
header,43,1,authenticate,,2012-04-26 22:01:28.902 +00:00
authentication,failure,,unknown user,telnet 27652
header,37,1,login - telnet,,2012-04-26 22:02:26.459 +00:00
subject,1,opl,normal,telnet 50466
header,78,1,command - setprivileges,,2012-04-26
subject,1,opl,normal,telnet 50466
platform access,granted
  1. As shown in the above example, records are displayed in text format by default. One token is displayed per line, with a comma as the field delimiter character.

    The token types and their fields are shown in Table 12-6 (in the display order). 
Table 12-6  Token Types and Their Fields (in the Display Order)
Token Type Field (Display Order)
File Token Label, version, time, file name
Header Token Label, record byte count, version, event type, machine address, time (event recording time)
Subject Token Label, audit session ID, UID, mode of operation, terminal type, remote IP address, remote port
Upriv Token Label, success/failure
Udpriv Token Label, success/failure, user privilege, domain ID 1, ..., domain ID N
Command Token Label, command name, operand 1, ..., operand N
Authentication Token Label, authentication result, user name, message, terminal type, remote IP address, remote port
Return Token Label, return value
Text Token Label, text string
Note - Some fields might not be output depending on the environment.
  1. The main audit events and tokens are as follows:
  2. - Login telnet
  3. - Login SSH
    Same as for Login telnet
  4. - Login BUI
    Same as for Login telnet
  5. - Logout
  6. - Audit start
  7. - Audit stop
  8. - Shell command
    Upriv | Updpriv
Note - Some tokens might not be output depending on the environment. Also, this information is subject to change without prior notice for functional improvement.
Note - For details of the log options, audit classes, and audit events of the viewaudit(8) command, see the man pages or the Fujitsu SPARC M12 and Fujitsu M10/SPARC M10 XSCF Reference Manual.